Rule Update
15-036 (December 8, 2015)
DESCRIPTION
* indicates a new version of an existing rule
Deep Packet Inspection Rules:
DNS Server
1007137* - PowerDNS Recursor Remote Denial Of Service Vulnerability (CVE-2014-3614)
Mail Client Windows
1007203 - TMTR-0002: PRORAT SMTP Request
Microsoft Office
1006624* - Microsoft Office Component Use After Free Vulnerability (CVE-2015-1642)
1007279 - Microsoft Office Memory Corruption Vulnerability (CVE-2015-6040)
1007280 - Microsoft Office Memory Corruption Vulnerability (CVE-2015-6118)
1007281 - Microsoft Office Memory Corruption Vulnerability (CVE-2015-6122)
1007282 - Microsoft Office Memory Corruption Vulnerability (CVE-2015-6124)
1007283 - Microsoft Office Memory Corruption Vulnerability (CVE-2015-6177)
1007291 - Microsoft Office Multiple Insecure Library Loading Vulnerabilities
1007251 - Microsoft Office Remote Code Execution Vulnerability (CVE-2015-6172)
Suspicious Client Application Activity
1007181 - TMTR-0001: PRORAT HTTP Request
1007182 - TMTR-0003: PRORAT HTTP Request
1005294* - TMTR-0004: GHOST RAT HTTP Request
1007197 - TMTR-0005: GHOST RAT TCP Connection Detected
1007184 - TMTR-0006: BUTERAT HTTP Request
1007186 - TMTR-0007: STRAT HTTP Request
1007199 - TMTR-0008: STRAT HTTP Request
1007198 - TMTR-0009: STRAT HTTP Request
1007200 - TMTR-0010: FAKEM RAT TCP Connection
1007201 - TMTR-0011: FAKEM RAT TCP Request
1007205 - TMTR-0012: FAKEM RAT TCP Connection
1007206 - TMTR-0013: FAKEMRAT HTTP Request
1007207 - TMTR-0014: NJRAT TCP Connection
1007202 - TMTR-0015: PSYRAT HTTP Request
1007208 - TMTR-0016: SPLINTER RAT TCP Connection
1007209 - TMTR-0017: ZIYAZO RAT BKDR Connection
Web Client Common
1006824* - Adobe Flash ActionScript3 ByteArray Use After Free Vulnerability
1006903* - Adobe Font Driver Memory Corruption Vulnerability (CVE-2015-2426)
1007063* - Foxit Reader PNG Conversion Arbitrary Code Execution Vulnerability
1007119* - Identified Malicious Adobe Flash SWF File - 2
1007277 - Microsoft Windows Graphics Memory Corruption Vulnerability (CVE-2015-6106)
1007249 - Microsoft Windows Graphics Memory Corruption Vulnerability (CVE-2015-6107)
1007250 - Microsoft Windows Integer Underflow Vulnerability (CVE-2015-6130)
1007284 - Microsoft Windows Library Loading Elevation Of Privilege Vulnerability (CVE-2015-6133)
1007287 - Microsoft Windows Library Loading Remote Code Execution Vulnerability (CVE-2015-6128)
1007288 - Microsoft Windows Library Loading Remote Code Execution Vulnerability (CVE-2015-6132)
1007285 - Microsoft Windows Media Center Information Disclosure Vulnerability (CVE-2015-6127)
1007047* - Windows Media Center Remote Code Execution Vulnerability
Web Client Internet Explorer/Edge
1007276 - Microsoft Edge Elevation of Privilege Vulnerability (CVE-2015-6170)
1007248 - Microsoft Edge Memory Corruption Vulnerability (CVE-2015-6168)
1007227 - Microsoft Internet Explorer And Edge Memory Corruption Vulnerability (CVE-2015-6140)
1007229 - Microsoft Internet Explorer And Edge Memory Corruption Vulnerability (CVE-2015-6142)
1007234 - Microsoft Internet Explorer And Edge Memory Corruption Vulnerability (CVE-2015-6148)
1007239 - Microsoft Internet Explorer And Edge Memory Corruption Vulnerability (CVE-2015-6153)
1007240 - Microsoft Internet Explorer And Edge Memory Corruption Vulnerability (CVE-2015-6154)
1007241 - Microsoft Internet Explorer And Edge Memory Corruption Vulnerability (CVE-2015-6155)
1007243 - Microsoft Internet Explorer And Edge Memory Corruption Vulnerability (CVE-2015-6158)
1007244 - Microsoft Internet Explorer And Edge Memory Corruption Vulnerability (CVE-2015-6159)
1007275 - Microsoft Internet Explorer Information Disclosure Vulnerability (CVE-2015-6157)
1007147* - Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-6075)
1007224 - Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-6083)
1007273 - Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-6134)
1007228 - Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-6141)
1007230 - Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-6143)
1007231 - Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-6145)
1007232 - Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-6146)
1007233 - Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-6147)
1007235 - Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-6149)
1007236 - Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-6150)
1007238 - Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-6152)
1007242 - Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-6156)
1007245 - Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-6160)
1007246 - Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-6162)
1007274 - Microsoft Internet Explorer Scripting Engine Information Disclosure Vulnerability (CVE-2015-6135)
1007225 - Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2015-6136)
1007237 - Microsoft Internet Explorer and Edge Memory Corruption Vulnerability (CVE-2015-6151)
Web Client SSL
1005040* - Identified Revoked Certificate Authority In SSL Traffic
Web Server Common
1007185* - Java Unserialize Remote Code Execution Vulnerability
Web Server IIS
1004396* - IIS Repeated Parameter Request Denial Of Service Vulnerability
Web Server SAP
1004831* - SAP Management Console OSExecute Payload Execution
Windows Services RPC Server
1007064* - Executable File Uploaded On System32 Folder Through SMB Share
1006906* - Identified Usage Of PsExec Command Line Tool
Integrity Monitoring Rules:
1006802* - TMTR-0003: Suspicious Files Detected In Operating System Directories
1006801* - TMTR-0004: Suspicious Files Detected In Operating System Directories
1006682* - TMTR-0008: Suspicious Files Detected In Application Directories
1007210 - TMTR-0018: Suspicious Files Detected In User Profile Directory
1007214 - TMTR-0019: Suspicious Files Detected In System Drivers Directory
1007215 - TMTR-0020: Suspicious Directories Detected In System Drive
1007216 - TMTR-0021: Suspicious Files Detected In System Drive
1007217 - TMTR-0022: Suspicious Files Detected In Recycle Bin
1007218 - TMTR-0023: Suspicious Changes In NTLM Settings
1007219 - TMTR-0024: Suspicious Files Detected In C Drive
1007221 - TMTR-0026: Suspicious Files Detected In Program FIles Folder
Log Inspection Rules:
There are no new or updated Log Inspection Rules in this Security Update.
Deep Packet Inspection Rules:
DNS Server
1007137* - PowerDNS Recursor Remote Denial Of Service Vulnerability (CVE-2014-3614)
Mail Client Windows
1007203 - TMTR-0002: PRORAT SMTP Request
Microsoft Office
1006624* - Microsoft Office Component Use After Free Vulnerability (CVE-2015-1642)
1007279 - Microsoft Office Memory Corruption Vulnerability (CVE-2015-6040)
1007280 - Microsoft Office Memory Corruption Vulnerability (CVE-2015-6118)
1007281 - Microsoft Office Memory Corruption Vulnerability (CVE-2015-6122)
1007282 - Microsoft Office Memory Corruption Vulnerability (CVE-2015-6124)
1007283 - Microsoft Office Memory Corruption Vulnerability (CVE-2015-6177)
1007291 - Microsoft Office Multiple Insecure Library Loading Vulnerabilities
1007251 - Microsoft Office Remote Code Execution Vulnerability (CVE-2015-6172)
Suspicious Client Application Activity
1007181 - TMTR-0001: PRORAT HTTP Request
1007182 - TMTR-0003: PRORAT HTTP Request
1005294* - TMTR-0004: GHOST RAT HTTP Request
1007197 - TMTR-0005: GHOST RAT TCP Connection Detected
1007184 - TMTR-0006: BUTERAT HTTP Request
1007186 - TMTR-0007: STRAT HTTP Request
1007199 - TMTR-0008: STRAT HTTP Request
1007198 - TMTR-0009: STRAT HTTP Request
1007200 - TMTR-0010: FAKEM RAT TCP Connection
1007201 - TMTR-0011: FAKEM RAT TCP Request
1007205 - TMTR-0012: FAKEM RAT TCP Connection
1007206 - TMTR-0013: FAKEMRAT HTTP Request
1007207 - TMTR-0014: NJRAT TCP Connection
1007202 - TMTR-0015: PSYRAT HTTP Request
1007208 - TMTR-0016: SPLINTER RAT TCP Connection
1007209 - TMTR-0017: ZIYAZO RAT BKDR Connection
Web Client Common
1006824* - Adobe Flash ActionScript3 ByteArray Use After Free Vulnerability
1006903* - Adobe Font Driver Memory Corruption Vulnerability (CVE-2015-2426)
1007063* - Foxit Reader PNG Conversion Arbitrary Code Execution Vulnerability
1007119* - Identified Malicious Adobe Flash SWF File - 2
1007277 - Microsoft Windows Graphics Memory Corruption Vulnerability (CVE-2015-6106)
1007249 - Microsoft Windows Graphics Memory Corruption Vulnerability (CVE-2015-6107)
1007250 - Microsoft Windows Integer Underflow Vulnerability (CVE-2015-6130)
1007284 - Microsoft Windows Library Loading Elevation Of Privilege Vulnerability (CVE-2015-6133)
1007287 - Microsoft Windows Library Loading Remote Code Execution Vulnerability (CVE-2015-6128)
1007288 - Microsoft Windows Library Loading Remote Code Execution Vulnerability (CVE-2015-6132)
1007285 - Microsoft Windows Media Center Information Disclosure Vulnerability (CVE-2015-6127)
1007047* - Windows Media Center Remote Code Execution Vulnerability
Web Client Internet Explorer/Edge
1007276 - Microsoft Edge Elevation of Privilege Vulnerability (CVE-2015-6170)
1007248 - Microsoft Edge Memory Corruption Vulnerability (CVE-2015-6168)
1007227 - Microsoft Internet Explorer And Edge Memory Corruption Vulnerability (CVE-2015-6140)
1007229 - Microsoft Internet Explorer And Edge Memory Corruption Vulnerability (CVE-2015-6142)
1007234 - Microsoft Internet Explorer And Edge Memory Corruption Vulnerability (CVE-2015-6148)
1007239 - Microsoft Internet Explorer And Edge Memory Corruption Vulnerability (CVE-2015-6153)
1007240 - Microsoft Internet Explorer And Edge Memory Corruption Vulnerability (CVE-2015-6154)
1007241 - Microsoft Internet Explorer And Edge Memory Corruption Vulnerability (CVE-2015-6155)
1007243 - Microsoft Internet Explorer And Edge Memory Corruption Vulnerability (CVE-2015-6158)
1007244 - Microsoft Internet Explorer And Edge Memory Corruption Vulnerability (CVE-2015-6159)
1007275 - Microsoft Internet Explorer Information Disclosure Vulnerability (CVE-2015-6157)
1007147* - Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-6075)
1007224 - Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-6083)
1007273 - Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-6134)
1007228 - Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-6141)
1007230 - Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-6143)
1007231 - Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-6145)
1007232 - Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-6146)
1007233 - Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-6147)
1007235 - Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-6149)
1007236 - Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-6150)
1007238 - Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-6152)
1007242 - Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-6156)
1007245 - Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-6160)
1007246 - Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2015-6162)
1007274 - Microsoft Internet Explorer Scripting Engine Information Disclosure Vulnerability (CVE-2015-6135)
1007225 - Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2015-6136)
1007237 - Microsoft Internet Explorer and Edge Memory Corruption Vulnerability (CVE-2015-6151)
Web Client SSL
1005040* - Identified Revoked Certificate Authority In SSL Traffic
Web Server Common
1007185* - Java Unserialize Remote Code Execution Vulnerability
Web Server IIS
1004396* - IIS Repeated Parameter Request Denial Of Service Vulnerability
Web Server SAP
1004831* - SAP Management Console OSExecute Payload Execution
Windows Services RPC Server
1007064* - Executable File Uploaded On System32 Folder Through SMB Share
1006906* - Identified Usage Of PsExec Command Line Tool
Integrity Monitoring Rules:
1006802* - TMTR-0003: Suspicious Files Detected In Operating System Directories
1006801* - TMTR-0004: Suspicious Files Detected In Operating System Directories
1006682* - TMTR-0008: Suspicious Files Detected In Application Directories
1007210 - TMTR-0018: Suspicious Files Detected In User Profile Directory
1007214 - TMTR-0019: Suspicious Files Detected In System Drivers Directory
1007215 - TMTR-0020: Suspicious Directories Detected In System Drive
1007216 - TMTR-0021: Suspicious Files Detected In System Drive
1007217 - TMTR-0022: Suspicious Files Detected In Recycle Bin
1007218 - TMTR-0023: Suspicious Changes In NTLM Settings
1007219 - TMTR-0024: Suspicious Files Detected In C Drive
1007221 - TMTR-0026: Suspicious Files Detected In Program FIles Folder
Log Inspection Rules:
There are no new or updated Log Inspection Rules in this Security Update.
Featured Stories
Unveiling AI Agent Vulnerabilities Part V: Securing LLM ServicesTo conclude our series on agentic AI, this article examines emerging vulnerabilities that threaten AI agents, focusing on providing proactive security recommendations on areas such as code execution, data exfiltration, and database access.Read more
Unveiling AI Agent Vulnerabilities Part IV: Database Access VulnerabilitiesHow can attackers exploit weaknesses in database-enabled AI agents? This research explores how SQL generation vulnerabilities, stored prompt injection, and vector store poisoning can be weaponized by attackers for fraudulent activities.Read more
The Mirage of AI Programming: Hallucinations and Code IntegrityThe adoption of large language models (LLMs) and Generative Pre-trained Transformers (GPTs), such as ChatGPT, by leading firms like Microsoft, Nuance, Mix and Google CCAI Insights, drives the industry towards a series of transformative changes. As the use of these new technologies becomes prevalent, it is important to understand their key behavior, advantages, and the risks they present.Read more
Open RAN: Attack of the xAppsThis article discusses two O-RAN vulnerabilities that attackers can exploit. One vulnerability stems from insufficient access control, and the other arises from faulty message handlingRead more